Overview

overview

7

Static

static

3

INVOICE.exe

windows7-x64

7

INVOICE.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04-09-2023 09:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INVOICE.exe

  • Size

    611KB

  • MD5

    653fce7ffffb975dc4d7d89344105681

  • SHA1

    65d9b6be3027429e22dae42965ff9e5159562b30

  • SHA256

    70d57ad08d7ddb371bba0f2c530bc05fc59f507299b0af73477c564b1d740a97

  • SHA512

    fb35ecd1e741af89500268d0c65aff85c9e32a44e676daa467a0e4a5db27579d8138ad2658a9176aaa61e342453ff13669108f088d12a855752f6315b03f7d21

  • SSDEEP

    12288:A9/XABwK9N4fHk9Isn5xUhuJb/T0OsDlGOI+hx03z2ekz+:w/XdeQs5xGEXQRx03oz+

Score
7/10
collectionspywarestealer

Malware Config

Signatures

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
    "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
      "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1736-20-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1736-23-0x00000000005B0000-0x00000000005F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1736-12-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1736-13-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1736-26-0x00000000005B0000-0x00000000005F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1736-25-0x00000000005B0000-0x00000000005F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1736-24-0x0000000074D90000-0x000000007547E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1736-18-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1736-8-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1736-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1736-22-0x0000000074D90000-0x000000007547E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1736-27-0x00000000005B0000-0x00000000005F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1736-10-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1736-16-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1860-6-0x0000000000430000-0x000000000043A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1860-0-0x0000000074D90000-0x000000007547E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1860-21-0x0000000074D90000-0x000000007547E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1860-2-0x0000000004E40000-0x0000000004E80000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1860-7-0x0000000005750000-0x00000000057CA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1860-1-0x0000000001360000-0x0000000001400000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1860-5-0x0000000004E40000-0x0000000004E80000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1860-4-0x0000000074D90000-0x000000007547E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1860-3-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download